Add x509_crt_check_extended_key_usage()

commit: 7afb8a0dca4036a118b62eac170575415d2350c2 [log] [tgz]
author: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Thu Apr 10 17:53:56 2014 +0200
committer: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Fri Apr 11 11:09:00 2014 +0200
tree: 20b4e753d62c6d33f366b67ed446e9727a725d10
parent: d6ad8e949b3dce716601ea269e095db1b617533a [diff] [blame]
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 2def1ee..6d7bd86 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h

@@ -972,6 +972,19 @@
 #define POLARSSL_X509_CHECK_KEY_USAGE
 
 /**
+ * \def POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE
+ *
+ * Enable verification of the extendedKeyUsage extension (leaf certificates).
+ *
+ * Disabling this avoids problems with mis-issued and/or misused certificates.
+ *
+ * \warning Depending on your PKI use, disabling this can be a security risk!
+ *
+ * Comment to skip extendedKeyUsage checking for certificates.
+ */
+#define POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE
+
+/**
  * \def POLARSSL_ZLIB_SUPPORT
  *
  * If set, the SSL/TLS module uses ZLIB to support compression and
commit	7afb8a0dca4036a118b62eac170575415d2350c2	[log] [tgz]
author	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Thu Apr 10 17:53:56 2014 +0200
committer	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Fri Apr 11 11:09:00 2014 +0200
tree	20b4e753d62c6d33f366b67ed446e9727a725d10
parent	d6ad8e949b3dce716601ea269e095db1b617533a [diff] [blame]